Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Thursday, July 04, 2013

Summarizing Webroot's Threat Blog Posts for June

The following is a brief summary of all of my posts at Webroot's Threat Blog for June, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace
02. New E-shop sells access to thousands of hacked PCs, accepts Bitcoin
03. Pharmaceutical scammers impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs
04. iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)
05. Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale
06. Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details
07. Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware
08. Tens of thousands of spamvertised emails lead to W32/Casonline
09. Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)
10. How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them
11. Rogue ads target EU users, expose them to Win32/Toolbar.SearchSuite through the KingTranslate PUA
12. New boutique iFrame crypting service spotted in the wild
13. Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe Flash Player’s installation process
14. New E-Shop sells access to thousands of malware-infected hosts, accepts Bitcoin
15. New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool spotted in the wild
16. Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted Application (PUA)
17. SIP-based API-supporting fake caller ID/SMS number supporting DIY Russian service spotted in the wild
18. Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Application (PUA)
19. Self-propagating ZeuS-based source code/binaries offered for sale
20. How cybercriminals create and operate Android-based botnets

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Saturday, June 22, 2013

Fake 'Rihanna & Chris Brown S3X Video' Spam Campaign Spreading Across Facebook, Monetized Through Adf Dot Ly PPC Links

A currently ongoing, click-jacking driven spam campaign is circulating across Facebook, with the affected users further spreading the adf.ly links on the Walls of their friends, in between tagging them, with the cybercriminal/cybercriminals behind the campaign, earning revenue through the adf.ly pay-per-click (PPC) monetization scheme.

Redirection chain:
hxxp://adf.ly/Qrd2f?cid=51c3e798aff9a -> hxxp://rihannaofficialvideo.blogspot.de/?231514 -> hxxp://www.smilegags.com/watch/jack.php?action=connect&cid=51c3e798aff9a -> hxxp://lolzbestpic.com

MD5s for the Facebook spamming/click-jacking scripts:
MD5: fe97840bd2af654acdb63fd80b094531
MD5: f8a360728a896d40bbb0f190375fb6f6
MD5: bae32ffd43ac2f518dafeedb8901e2de
MD5: 90fa366b8affac24fe182b7b5de51b16

Domain name reconnaissance:
smilegags.com - 184.107.164.158
lolzbestpic.com - 64.79.76.226

Name servers used:
Name Server: NS1.PYARISHQ.INFO
Name Server: NS2.PYARISHQ.INFO
Name Server: NS1.HOSTING.XLHOST.COM
Name Server: NS2.HOSTING.XLHOST.COM

Responding to the same IP (184.107.164.158) are also the following domains:
amasave.com
wikilieaksvideo.com
ns1.pyarishq.info
ns2.pyarishq.info

Known to have responded to the same IP (184.107.164.158) in the past are also the following domains:
costcochristmas.com
costcogives.com
giftcardgratis.com
icagivings.com
lomanako.com
picknpaygives.com
remabilaget.com
rewegives.com
vodkaforyou.info
topvideosweden.com

Responding to (64.79.76.226) is also the following domain:
silali.info

Known to have responded to the same IP (64.79.76.226) is also the following domain:
promvideo.pw

Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook
Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook
Phishing Campaign Spreading Across Facebook
Facebook Malware Campaigns Rotating Tactics
MySpace Phishers Now Targeting Facebook
Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Fake 'Rihanna & Chris Brown S3X Video' Spam Campaign Spreading Across Facebook, Monetized Through Adf Dot Ly PPC Links

Dancho Danchev